search

Kicksecure / security-misc

Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc
https://www.kicksecure.com/wiki/Impressum
Other
517 stars 51 forks source link

slightly confusing KSPP header, introduce `KSPP=undocumented` comment in case KSPP does not mention it #275

Closed adrelanos closed 1 month ago

adrelanos commented 1 month ago

For example https://github.com/Kicksecure/security-misc/blob/master/etc/default/grub.d/41_quiet_boot.cfg is currently a bit confusing.

## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0"

So this is KSPP compliant, partial or not? The file header shows the various KSPP compliance status but how about settings that KSPP does not mention but we add?

It's not KSPP=no as KSPP has no commented on it. New status?

KSPP=undocumented: not mentioned by KSPP

raja-grewal commented 1 month ago

Yes I think this is easily doable.

Only downside is that it would increase verbosity quite a lot for every 'undocumented' boot parameter and sysctl.

Alternatively, we could add single line in the Definitions: header explaining that if there is no mention of KSPP compliance, it should be treated as undocumented.

Not sure what would be better solution at this time.

adrelanos commented 1 month ago

Alternatively, we could add single line in the Definitions: header explaining that if there is no mention of KSPP compliance, it should be treated as undocumented,

That's also good.

adrelanos commented 1 month ago

Thanks to https://github.com/Kicksecure/security-misc/pull/276 this has been resolved.